001    /**
002     * Copyright (c) 2000-2012 Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.security.pacl.checker;
016    
017    import com.liferay.portal.kernel.log.Log;
018    import com.liferay.portal.kernel.log.LogFactoryUtil;
019    import com.liferay.portal.kernel.security.pacl.permission.PortalRuntimePermission;
020    import com.liferay.portal.kernel.util.GetterUtil;
021    import com.liferay.portal.kernel.util.StringPool;
022    import com.liferay.portal.kernel.util.Validator;
023    
024    import java.security.Permission;
025    
026    import java.util.Set;
027    import java.util.TreeSet;
028    
029    import sun.reflect.Reflection;
030    
031    /**
032     * @author Brian Wing Shun Chan
033     */
034    public class PortalRuntimeChecker extends BaseChecker {
035    
036            public void afterPropertiesSet() {
037                    initExpandoBridgeClassNames();
038                    initGetBeanPropertyClassNames();
039                    initSearchEngineIds();
040                    initSetBeanPropertyClassNames();
041                    initThreadPoolExecutorNames();
042            }
043    
044            public void checkPermission(Permission permission) {
045                    PortalRuntimePermission portalRuntimePermission =
046                            (PortalRuntimePermission)permission;
047    
048                    String name = portalRuntimePermission.getName();
049                    Object subject = portalRuntimePermission.getSubject();
050                    String property = GetterUtil.getString(
051                            portalRuntimePermission.getProperty());
052    
053                    if (name.equals(PORTAL_RUNTIME_PERMISSION_EXPANDO_BRIDGE)) {
054                            String className = (String)subject;
055    
056                            if (!_expandoBridgeClassNames.contains(className)) {
057                                    throwSecurityException(
058                                            _log, "Attempted to get Expando bridge on " + className);
059                            }
060                    }
061                    else if (name.equals(PORTAL_RUNTIME_PERMISSION_GET_BEAN_PROPERTY)) {
062                            Class<?> clazz = (Class<?>)subject;
063    
064                            if (!hasGetBeanProperty(clazz, property)) {
065                                    if (Validator.isNotNull(property)) {
066                                            throwSecurityException(
067                                                    _log,
068                                                    "Attempted to get bean property " + property + " on " +
069                                                            clazz);
070                                    }
071                                    else {
072                                            throwSecurityException(
073                                                    _log, "Attempted to get bean property on " + clazz);
074                                    }
075                            }
076                    }
077                    else if (name.equals(PORTAL_RUNTIME_PERMISSION_SEARCH_ENGINE)) {
078                            String searchEngineId = (String)subject;
079    
080                            if (!_searchEngineIds.contains(searchEngineId)) {
081                                    throwSecurityException(
082                                            _log, "Attempted to get search engine " + searchEngineId);
083                            }
084                    }
085                    else if (name.equals(PORTAL_RUNTIME_PERMISSION_SET_BEAN_PROPERTY)) {
086                            Class<?> clazz = (Class<?>)subject;
087    
088                            if (!hasSetBeanProperty(clazz, property)) {
089                                    if (Validator.isNotNull(property)) {
090                                            throwSecurityException(
091                                                    _log,
092                                                    "Attempted to set bean property " + property + " on " +
093                                                            clazz);
094                                    }
095                                    else {
096                                            throwSecurityException(
097                                                    _log, "Attempted to set bean property on " + clazz);
098                                    }
099                            }
100                    }
101                    else if (name.equals(PORTAL_RUNTIME_PERMISSION_THREAD_POOL_EXECUTOR)) {
102                            String threadPoolExecutorName = (String)subject;
103    
104                            if (!_threadPoolExecutorNames.contains(threadPoolExecutorName)) {
105                                    throwSecurityException(
106                                            _log,
107                                            "Attempted to modify thread pool executor " +
108                                                    threadPoolExecutorName);
109                            }
110                    }
111            }
112    
113            protected boolean hasGetBeanProperty(Class<?> clazz, String property) {
114                    String className = clazz.getName();
115    
116                    if (_getBeanPropertyClassNames.contains(className)) {
117                            return true;
118                    }
119    
120                    if (Validator.isNotNull(property)) {
121                            if (_getBeanPropertyClassNames.contains(
122                                            className.concat(StringPool.POUND).concat(property))) {
123    
124                                    return true;
125                            }
126                    }
127    
128                    Class<?> callerClass10 = Reflection.getCallerClass(10);
129    
130                    return isTrustedCallerClass(callerClass10);
131            }
132    
133            protected boolean hasSetBeanProperty(Class<?> clazz, String property) {
134                    String className = clazz.getName();
135    
136                    if (_setBeanPropertyClassNames.contains(className)) {
137                            return true;
138                    }
139    
140                    if (Validator.isNotNull(property)) {
141                            if (_setBeanPropertyClassNames.contains(
142                                            className.concat(StringPool.POUND).concat(property))) {
143    
144                                    return true;
145                            }
146                    }
147    
148                    return false;
149            }
150    
151            protected void initExpandoBridgeClassNames() {
152                    _expandoBridgeClassNames = getPropertySet(
153                            "security-manager-expando-bridge");
154    
155                    if (_log.isDebugEnabled()) {
156                            Set<String> classNames = new TreeSet<String>(
157                                    _expandoBridgeClassNames);
158    
159                            for (String className : classNames) {
160                                    _log.debug("Allowing Expando bridge on class " + className);
161                            }
162                    }
163            }
164    
165            protected void initGetBeanPropertyClassNames() {
166                    _getBeanPropertyClassNames = getPropertySet(
167                            "security-manager-get-bean-property");
168    
169                    if (_log.isDebugEnabled()) {
170                            Set<String> classNames = new TreeSet<String>(
171                                    _getBeanPropertyClassNames);
172    
173                            for (String className : classNames) {
174                                    _log.debug("Allowing get bean property on class " + className);
175                            }
176                    }
177            }
178    
179            protected void initSearchEngineIds() {
180                    _searchEngineIds = getPropertySet("security-manager-search-engine-ids");
181    
182                    if (_log.isDebugEnabled()) {
183                            Set<String> searchEngineIds = new TreeSet<String>(_searchEngineIds);
184    
185                            for (String searchEngineId : searchEngineIds) {
186                                    _log.debug("Allowing search engine " + searchEngineId);
187                            }
188                    }
189            }
190    
191            protected void initSetBeanPropertyClassNames() {
192                    _setBeanPropertyClassNames = getPropertySet(
193                            "security-manager-set-bean-property");
194    
195                    if (_log.isDebugEnabled()) {
196                            Set<String> classNames = new TreeSet<String>(
197                                    _setBeanPropertyClassNames);
198    
199                            for (String className : classNames) {
200                                    _log.debug("Allowing set bean property on class " + className);
201                            }
202                    }
203            }
204    
205            protected void initThreadPoolExecutorNames() {
206                    _threadPoolExecutorNames = getPropertySet(
207                            "security-manager-thread-pool-executor-names");
208    
209                    if (_log.isDebugEnabled()) {
210                            Set<String> threadPoolExecutorNames = new TreeSet<String>(
211                                    _threadPoolExecutorNames);
212    
213                            for (String threadPoolExecutorName : threadPoolExecutorNames) {
214                                    _log.debug(
215                                            "Allowing thread pool executor " + threadPoolExecutorName);
216                            }
217                    }
218            }
219    
220            private static Log _log = LogFactoryUtil.getLog(PortalRuntimeChecker.class);
221    
222            private Set<String> _expandoBridgeClassNames;
223            private Set<String> _getBeanPropertyClassNames;
224            private Set<String> _searchEngineIds;
225            private Set<String> _setBeanPropertyClassNames;
226            private Set<String> _threadPoolExecutorNames;
227    
228    }